the eu e-privacy directive: a monstrous attempt to …...directive 2002/58 had to be implemented in...

International Journal of Law and Information Technology Vol 13 No 1 copy Oxford University Press 2005 all rights reserved doi101093ijliteai003 available online at wwwijlitoupjournalsorg

70

The EU E-Privacy Directive A Monstrous Attempt to

Starve the Cookie Monster

FREDERIC DEBUSSEREacute

One day in June 1994 Lou Montulli sat down at his keyboard to fix one of the biggest problems facing the fledging World Wide Web ndash and as so often happens in the

world of technology he created another one1

1 Introduction The development of the information society is characterized by the intro-duction of new electronic services available through different types oftechnologies and devices Publicly available electronic communicationsservices create new possibilities for users governments and businessesHowever at the same time these services have large capacities and possi-bilities for processing personal data For instance one of the technologiesthat are crucial in the functioning of the Internet so-called lsquocookiesrsquo areused to track an individualrsquos movements on a website and even amongdifferent websites and can be used to store information that the individualsupplies to another website including his name address credit cardnumber etc This is of course of great advantage to advertisers who cancreate profiles of an individual and target their advertisements to match

Associate Researcher at the Interdisciplinary Centre for Law amp Information Technology (ICRI) of theCatholic University of Leuven (Belgium) (wwwlawkuleuvenacbeicri) and Attorney at Law at the Brus-sels Bar with the Technology Media Telecommunications Group of the law firm Stibbe (wwwsti-bbecom) The author is grateful to Prof Anupam Chander of Stanford University and the University ofCaliforniandashDavis for his comments The author can be reached at fredericdebusserestibbecom

1 J Schwartz lsquoGiving Web a Memory Cost Its Users Privacyrsquo (4 September 2001) New York Times at A1


71

the individualrsquos interests but it is problematic in light of the fundamentalright to privacy

In the United States (lsquoUSrsquo) there have already been some lawsuitsagainst companies and organizations that used cookies to gather informa-tion about Internet users The most notorious example of such a caseinvolved the Delaware-based advertising company DoubleClick Inc2 Thiscompanyrsquos marketing niche is its promise to advertisers to place their adsin front of persons most likely to respond to them To this end DoubleClickcollects and analyses an extensive amount of information about Internetusers It accomplishes this by invisibly placing a cookie on the hard driveof individuals who visit one of the 11000 lsquoDoubleClick-affiliatedrsquo web-sites which enables DoubleClick to track those individualsrsquo clickstreamdata The collected information is then compiled into detailed profiles ofInternet users DoubleClick currently has a stockpile of more than 100million such profiles3

In June 1999 DoubleClick caused a public outcry when it purchasedAbacus Direct Corp for more than one billion dollars Abacus was a direct-marketing services company that maintained a vast database of namesaddresses telephone numbers retail purchasing habits and other per-sonal information on approximately ninety percent of American house-holds which it sold to direct marketing companies Through thepurchase DoubleClick intended to combine its massive database oflargely anonymous online profiles with Abacusrsquo personally identifiable offline data so that DoubleClick would be able to create a super databasecapable of matching individualsrsquo online activities with their names andaddresses In March 2000 after a Federal Trade Commission investiga-tion into whether DoubleClickrsquos consumer data policies constitutedunfair or deceptive trade practices several state and federal consumerclass actions raising a variety of statutory and common law tort claims andan investigation by some States DoubleClickrsquos CEO announced that hehad made a lsquomistakersquo by planning to merge both companies databasesand stated that DoubleClick would not undertake such merger until itreached an agreement with the US government and Internet industryregarding privacy standards It agreed to postpone linking personally

2 In re DoubleClick Inc Privacy Litigation 154 FSupp2d 497 (SDNY 2001) Other US cookie cases areIn re Intuit Privacy Litigation 138 FSupp2d 1272 (CDCal 2001) Chance v Avenue A Inc 165 FSupp2d1153 (WDWash 2001) In re Pharmatrak Inc Privacy Litigation 220 FSupp2d 4 (DMass 2002) For a dis-cussion of US cookie cases and remedies available under US law see eg LJ Albrecht lsquoOnline MarketingThe Use of Cookies and Remedies for Internet Usersrsquo (2003) 36 Suffolk University Law Review 421 MRSiebecker lsquoCookies and the Common Law Are Internet Advertisers Trespassing On Our Computersrsquo(2003) 76 Southern California Law Review 893 900 and following JJ Thill lsquoThe Cookie Monster FromSesame Street to Your Hard Driversquo (2001) 52 South Carolina Law Review 921

3 AJ McClurg lsquoA Thousand Words Are Worth a Picture A Privacy Tort Response to Consumer DataProfilingrsquo (2003) 98 Northwestern University Law Review 63 82

THE EU E-PRIVACY DIRECTIVE

72

identifiable information to anonymous user activity until the governmentand the industry could agree upon standards4

Since the successful development of information society services ispartly dependent on the confidence of users that their privacy will not beat risk a legal framework is needed to protect individualsrsquo fundamentalright to privacy and their personal data while at the same time payingattention to legitimate interests of governments and businesses

In this respect on 12 July 2002 the European Parliament and theCouncil of the European Union (lsquoEUrsquo) adopted Directive 200258ECconcerning the processing of personal data and the protection of privacyin the electronic communications sector (lsquoDirective 200258rsquo)5 ThisDirective is part of a package of five new Directives that aim to reform thelegal and regulatory framework of electronic communications services inthe EU6 and it repealed and replaced Directive 9766EC of the EuropeanParliament and of the Council of 15 December 1997 concerning theprocessing of personal data and the protection of privacy in the telecom-munications sector (lsquoDirective 9766rsquo)7 The latter Directive aimed totranslate the general personal data protection principles laid down inDirective 9546EC of the European Parliament and of the Council of24 October 1995 on the protection of individuals with regard to theprocessing of personal data and on the free movement of such data(lsquoDirective 9546rsquo)8 into specific rules for the telecommunicationssector However Directive 9766 was already outdated at the moment ofits adoption in 1997 it had been drawn up in the first half of the ninetiesand ndash as its title and terminology suggest ndash it applied only to the lsquotelecom-municationsrsquo sector whereas by 1997 the Internet and electronic com-munications had already begun to be used with regular frequency9

4 In re DoubleClick Inc Privacy Litigation supra note 2 at 505 5 EU Official Journal 31 July 2002 L 20137 The procedure file of the Directive including all its pre-

paratory documents is available at httpwwwdbeuroparleuintoeiloeil_ViewDNLProcedureViewlang = 2ampprocid = 4483 (all websites referred to in this article were last visited on 31 July 2004)

6 The reform was initiated by the European Commissionrsquos Communication lsquoTowards a new frameworkfor electronic communications infrastructure and associated services The 1999 CommunicationsReviewrsquo COM(1999)539final available at httpeuropaeuintISPOinfosoctelecompolicyreview99review99htm The other four Directives of the package are (1) Directive 200221EC of 7 March 2002on a common regulatory framework for electronic communications networks and services (FrameworkDirective) EU Official Journal 24 April 2002 L 10833 (2) Directive 200220EC of 7 March 2002 on theauthorisation of electronic communications networks and services (Authorisation Directive) EU OfficialJournal 24 April 2002 L 10821 (3) Directive 200219EC on access to and interconnection of elec-tronic communications networks and associated facilities (Access Directive) EU Official Journal 24 April2002 L 1087 and (4) Directive 200222EC on universal service and usersrsquo rights relating to electroniccommunications networks and services (Universal Service Directive) EU Official Journal 24 April 2002 L10851

7 EU Official Journal 30 January 1998 L 241 8 EU Official Journal 23 November 1995 L 28131 9 The European Commissionrsquos initial proposal dates from 1990 (COM(1990)314final) EU Official Journal

5 November 1990 C 27712)


73

Although the EU Article 29 Data Protection Working Party was of theopinion that this Directive also applied to the Internet and e-mails10 itwas still uncertain whether this was indeed the case and the EU wantedto remove this uncertainty by adopting a new Directive

Directive 200258 had to be implemented in national law by the EUMember States by 31 October 200311 However nine Member States ndashBelgium Germany Greece Finland France Luxembourg the NetherlandsPortugal and Sweden ndash failed to do so and in the beginning of December2003 the European Commission opened infringement proceedings againstthem12

One of the innovative provisions of Directive 200258 is Article 5(3)as clarified by Recitals 24 and 25 which sets out a legal framework for theuse of devices for storing or retrieving information such as cookies

This article aims to analyse this new EU legal framework for the use ofcookies First it is described what cookies are what types of cookies thereare and what they can be used for Second it is explained why their usecan be problematic in the light of privacy and personal data protectionThird a critical analysis is made of the new European rules for the use ofcookies

2 Cookie Technology in a Nutshell If an individual wants to visit a website or navigate from webpage to webpagewithin a website then his webbrowser (for instance Microsoft InternetExplorer or Netscape Navigator) sends a request to the server that oper-ates the website Upon receiving the request the server then transmits tothe individualrsquos webbrowser the information that constitutes therequested website or webpage The communication between the individualrsquoswebbrowser and the server that operates the website occurs by means of aprotocol called HyperText Transfer Protocol (lsquoHTTPrsquo) The file sent bythe server to the webbrowser is preceded by an HTTP header which is aset of ASCII strings following a special language called HyperTextMarkup Language (lsquoHTMLrsquo) and containing information about theserver and the document being sent13

10 Working Document No 37 of 21 November 2000 lsquoPrivacy on the Internet ndash An integrated EU Approachto On-line Data Protectionrsquo 23 and following available at httpeuropaeuintcomminternal_marketprivacydocswpdocs2000wp37enpdf

11 For an overview of the implementation of the other four Directives see the European CommissionrsquosCommunication of 19 November 2003 lsquoEuropean Electronic Communications Regulation and Markets2003 Report on the Implementation of the EU Electronic Communications Regulatory PackagersquoCOM(2003)715final

12 See httpeuropaeuintrapidstartcgiguestenkshp_actiongetfile=gfampdoc= IP031663|0|AGEDamplg=ENamptype = PDF

13 See Wikipedia ndash The Free Encyclopedia available at httpenwikipediaorgwikiHTTP


74

HTTP differs from other protocols such as the File Transport Protocol(lsquoFTPrsquo) in that it is a lsquostatelessrsquo protocol which means that each visit to awebsite and even each click within a website is seen by the websitersquos serveras the first visit by the individual Consequently the server lsquoforgetsrsquo every-thing after each request unless it can lsquomarkrsquo a visitor to help rememberit It is at this point that cookies come into the picture their technicalpurpose is to lsquomaintain statersquo between stateless HTTP communicationsIn other words they help a server to remember an individualrsquos activitieson the website(s) concerned

As mentioned above the cookie technology was invented in the mid-nineties by Lou Montulli at that time a programmer at Netscape Com-munications The term lsquocookiesrsquo comes from the computer science termlsquomagic cookiersquo used by Unix programmers14

A cookie is a text file of typically less than four kilobytes of memory thatthe server which operates the visited website places on the individualrsquoshard drive by means of an additional line added to the HTTP headerContrary to some newspaper reports and US court opinions a cookie isthus not an executable computer program or code and cannot functionlike a program15 The syntax of the additional line in the HTTP header of anHTML document is as follows lsquoSet-Cookie NAME = VALUE expires =DATE path = PATH domain = DOMAIN_NAME securersquo

NAME = VALUE is the name of the cookie and its value This is the onlyrequired attribute in the Set-Cookie header the others are optional16

This is the globally unique identifier (lsquoGUIDrsquo) that the server specificallyassigns to an individual and is the main component in the cookiersquos track-ing system it is through this number that companies are able to identifyexactly which websites or webpages an individual has visited before Inother words it is the data that the websitersquos server wants passed back to itwhen a browser requests another page It is this GUID that DoubleClickuses to target individual Web surfers and ensure that they do not see thesame advertisement banner over and over again17

14 A Stuwart lsquoMysteries About the Internet Where Cookie Come Fromrsquo available at httpwwwdominopowercomissuesissue200207cookie001html See also httpwwwmontullicomlou A lsquomagic cookiersquo isdefined as lsquoSomething passed between routines or programs that enables the receiver to perform some operationa capability ticket or opaque identifier Especially used of small data objects that contain data encoded in a strange orintrinsically machine-dependent way [ ] The phrase lsquoit hands you a magic cookiersquo means it returns a result whosecontents are not defined but which can be passed back to the same or some other program laterrsquo (see httpcomputing-dictionarythefreedictionarycommagic20cookie)

15 See M Brain lsquoHow Internet Cookies Workrsquo HowStuffWorks available at httpcomputerhowstuffworkscomcookie1htm See eg In re DoubleClick Inc Privacy Litigation supra note 2 502ndash03 (lsquoCookies arecomputer programs commonly used by Web sites to store useful information [ ]rsquo (emphasis added))

16 See Netscape Support Documentation lsquoPersistent Client State Persistent HTTP Cookiesrsquo at httpwpnetscapecomnewsrefstdcookie_spechtml

17 C Youngblood lsquoA New Millennium Dilemma Cookie Technology Consumers and the Future ofthe Internetrsquo (2001) 11 DePaul University Journal of Art and Entertainment Law 45 49


75

DATE is an attribute that determines how long the cookie persists onthe individualrsquos hard drive Its format is lsquoWdy DD-Mon-YYYY HHMMSSGMTrsquo18 If there is no expiration date then the cookie is stored in mem-ory only and is automatically erased when the individual unloads orcloses his webbrowser the cookie is then called a lsquosessionrsquo (or lsquotran-sientrsquo) cookie Session cookies only store information in the form of asession identification and do thus not store any personally identifiableinformation19 However if the DATE attribute refers to a date in thefuture then the cookie is a so-called lsquopersistentrsquo (or lsquopermanentrsquo orlsquostoredrsquo) cookie and is saved in a file Only such persistent cookies canbe used to track an individual at several visits of one or more websites orwebpages20 Setting the date for an existing cookie to be some day in thepast deletes the cookie

DOMAIN_NAME is an attribute that contains the address of the serverthat sent the cookie and that will receive a copy of the cookie when thewebbrowser requests a file from that server It defaults to the server thatset the cookie if it is not explicitly set in the lsquoSet-Cookiersquo line Thisattribute may be set to equal the subdomain that contains the server sothat multiple servers in the same subdomain will receive the cookie fromthe webbrowser This allows larger websites to coordinate multiple serversin the same subdomain For instance if the DOMAIN_NAME equalswwwcompanycom then machines named onecompanycom twocom-panycom and threecompanycom all receive the cookie from the web-browser The value of DOMAIN_NAME is limited such that only hostswithin the indicated subdomain may set a cookie for that subdomain

PATH is an attribute that is used to further refine when a cookie is sentback to a server When the PATH attribute is set a cookie is only sentback to the server if both the DOMAIN_NAME and the PATH match forthe requested file

lsquoSecurersquo is an attribute that specifies that the cookie is only sent if asecure HTTP (lsquoHTTPSrsquo) is being used Since most websites do notrequire secure connections this attribute defaults to false21

When applying the above to surfing to for instance the URL httpwwwgooglecom then the HTTP header (in HTML) of the response thatGooglersquos server sends to the individualrsquos webbrowser may look like this

HTTP11 200 OK Content-Length 3059 Server GWS20

18 See Netscape Support Documentation supra note 16 19 Webopedia Computer Dictionary available at httpwwwwebopediacomTERMSsession_cookiehtml 20 Webopedia Computer Dictionary available at httpwwwwebopediacomTERMPpersistent_cookie

html 21 US Department of Energy ndash Computer Incident Advisory Capability lsquoInformation Bulletin I-034

Internet Cookiesrsquo (1998) available at httpwwwciacorgciacbulletinsi-034shtml


76

Date Sat 11 Jan 2003 024404 GMT Content-Type texthtml Cache-control private Set-Cookie PREF = ID = 73d4aef52e57bae9TM = 1042253044LM = 1042253044S =

SMCc-HRPCQiqy x9j expires = Sun 17-Jan-2038 191407 GMT path = domain =

googlecom Connection keep-alive

(followed by other HTML text)22 Once a cookie is installed on an individualrsquos hard drive for a particular

website then each time that individual surfs to and navigates throughthat website and requests a different webpage the websitersquos server gainsaccess to the current cookie The information stored in the cookie isattached to every subsequent request from the webbrowser to the websitersquosserver for a different webpage After receiving the cookiersquos informationattached to the webbrowserrsquos request the server may modify that informa-tion to reflect new or updated information Together with the newwebpage the individual requested the server sends a revised cookie thatreplaces the old one Thus once installed on an individualrsquos hard drivecookies facilitate a flow of communication back and forth between thathard drive and the websitersquos server23

3 Why Do Cookies Threaten Privacy The technical purpose of cookies is thus to make it possible that theserver which operates a website can lsquorememberrsquo that an individual visitedthat website or a webpage before cookies allow websites to lsquotagrsquo their visi-tors with unique identifiers so that they can be identified each time theyvisit the website or webpage24 In this way cookies can be very usefulthings For instance if an individual wants to check his e-mail box via theWorld Wide Web then the username and password that have to be typedcan be stored in a cookie so that these data are automatically filled outthe subsequent occasions the individual wants to check his e-mail and thathe thus only has to type them once In the case of electronic commercecookies can be used to retain a record of the items that one has orderedthe previous time so that one can view onersquos shopping basket over a certainperiod of time Cookies can also be used to personalize a website for

22 See Wikipedia ndash The Free Encyclopedia supra note 13 23 See MR Siebecker supra note 2 at 898 24 It is important to note that cookies do not lsquogatherrsquo information the only data available in cookies is

information that users themselves provide to websites and the server of the website then stores in cookies


77

instance when an individual visits a multi-language website a cookie canbe used to remember the individualrsquos language preference

In this context it is important to distinguish between two separatetypes of information that can be stored in cookies personally identifiableinformation and non-personally identifiable information Personallyidentifiable information consists of data that is used to identify an indivi-dual and is mostly provided to the website by the individual himself forinstance in the context of electronic commerce Such information alsocalled lsquotransaction generated informationrsquo25 can include for instance anindividualrsquos name address phone number e-mail address credit cardnumber age gender income marital status number of children healthpolitical affiliation social security number occupation lifestyle dimensionsleisure activities type of car Internet Protocol address etc26 Non-personallyidentifiable information is not linked to any particular personal informa-tion and typically consists of so-called lsquoclickstream datarsquo for instance thenumber of times that an individual clicks on an online advertisement(lsquobannerrsquo)27

The potential harm of cookies does not lie in the information storedon the userrsquos computer itself but in what companies can do with theinformation It is a fact that a company that retrieves some personallyidentifiable information via cookies for instance via electronic com-merce may have some knowledge of some characteristics of individualsThis is a legitimate concern but in most cases the individual has providedthe information himself and has consented to giving the informationIn addition since most websites have only the limited capability to readcookies from an individualrsquos hard drive that that website itself sent ona previous visit it is hard for single information collecting companies tocome to a real lsquodossier effectrsquo The real danger rather lies in so-calledlsquoonline profilingrsquo by means of data mining This consists of recording anindividualrsquos online behaviour through the accumulation of clickstreamand other forms of data into vast databases and the subsequent construc-tion of lsquoprofilesrsquo of individuals based upon that record28 In this contexta third party usually an advertising agent places cookies on individualsrsquo

25 JB Sessler lsquoComputer Cookie Control Transaction Generated Information and Privacy Regulationon the Internetrsquo (1997) 5 Journal of Law and Policy 627 628ndash629

26 Hal Berghel lsquoCaustic Cookiesrsquo (May 2001) Communications of the ACM Vol 44 No 5 19ndash20BT Mckinney amp D Whitten lsquoArkansas Surfers and Their Privacy or Lack Thereof Does the CommonLaw Invasion of Privacy Tort Prohibit E-Tailersrsquo Use of lsquoCookiesrsquorsquo (2002) 24 University of Arkansas at LittleRock Law Review 751 755

27 S Milina lsquoLet the Market Do Its Job Advocating and Integrated Laissez-Faire Approach to OnlineProfiling Regulationrsquo (2003) 21 Cardozo Arts amp Entertainment Law Journal 257 259ndash60

28 See KD Belgum lsquoWho Leads at Half-Time Three Conflicting Visions of Internet Privacy Policyrsquo(1999) 6 Richmond Journal of Law amp Technology 1 8 L Jenab lsquoWill the Cookie Crumble An Analysis ofInternet Privacy Regulatory Schemes Proposed in the 106th Congressrsquo (2001) 49 Kansas Law Review 641 646J Kang lsquoInformation Privacy in Cyberspace Transactionsrsquo (1998) 50 Stanford Law Review 1193 1238M Tonsing lsquoThe Federal Lawyer in Cyberia Privacy Profiles and Cookiesrsquo (October 2000) Federal Lawyer 13


78

hard drives from its own servers The clickstream data collected by suchthird parties is in some ways more comprehensive than those of singlewebsite owners because third parties serve material on a number of differ-ent websites If company A company B and company C all enter into anagreement with third party D to place advertisements on each of theirrespective websites then third party D can use the same cookie irrespec-tive of which of the three websites an individual is visiting In other wordswhereas companies A B and C only know what individuals do when theyare on their respective websites third party D can link behaviour of agiven individual on any of these websites to that individualrsquos behaviour onany of the other websites29 In this way third party D can associate non-personally identifiable information retrieved from a cookie of companyArsquos website with personally identifiable information retrieved from acookie of company Brsquos website

This cookie-facilitated interaction for advertising purposes such as thatof DoubleClick works as follows When an individual visits website Xthen the HTML code underlying the webpage at website X tells the indi-vidualrsquos webbrowser that it needs to display several advertisements on thewebpage and it refers the individualrsquos browser to server Y ie the serverof the advertising placement servicersquos website When the request from theindividualrsquos webbrowser arrives at server Y the latter determines whetheror not the individual has one of Yrsquos cookies (or one of Yrsquos network of asso-ciates) If there is no such cookie then server Y installs a cookie on theindividualrsquos hard drive If there is already such a cookie on the individ-ualrsquos hard drive then server Y accesses it analyses the stored clickstreamdata combines that data with data about the individual previouslyretrieved and finds out what kind of advertisement the individual shouldbe interested in Server Y then responds to the request from the individ-ualrsquos webbrowser by filling the advertising space on website Xrsquos webpagewith advertisement banners targeted to the individualrsquos profile Theowner of website X is paid for displaying the banner ads (each view iscalled a lsquohitrsquo) and receives more revenue if the individual clicks throughon the banner to the sponsorrsquos website (a lsquoclickrsquo) The owner of server Yearns money from the advertisers for placing the targeted banner adver-tisements on the requested webpage30

In addition it has to be pointed out that the scope and penetration ofdata-profiling activities will probably increase with a new technology initiativeaimed at facilitating the sharing of data among several businesses It is

29 L Kovarsky lsquoTolls on the Information Superhighway Entitlement Defaults for Clickstream Datarsquo(2003) 89 Virginia Law Review 1037 1049ndash50 LA Kurtz lsquoThe Invisible Becomes Manifest InformationPrivacy in a Digital Agersquo (1998) 38 Washburn Law Journal 151 164 RK Zimmerman lsquoThe Way the lsquoCookiesrsquoCrumble Internet Privacy and Data Protection in the Twenty-First Centuryrsquo (2000-01) 4 New York UniversityJournal of Legislation and Public Policy 439 444ndash445

30 L Jenab supra note 28 at 545ndash46


79

currently rather difficult for companies to exchange customer databecause there is no uniform standard method for compiling and collect-ing such data so that a company can share such data with another com-pany only if it first transforms the data into a form that the othercompany can read The creation of the Customer Profile Exchange(lsquoCPEXrsquo) and the advent of Extensible Markup Language (lsquoXMLrsquo) willmake this possible CPEX formed in 1999 is an alliance of technologycompanies dedicated to developing lsquoa vendor-neutral open standard forfacilitating the privacy-enabled interchange of customer informationacross disparate enterprise applications and applicationsrsquo31 To achievethis goal CPEX is developing a common language based on XML thatwill allow different companies to exchange data more easily XML is simi-lar to HTML but unlike HTML XML has a greater capacity for facilitat-ing the sharing of data HTML currently allows website owners to use onlya limited array of tags to designate whether Web text should be forexample a certain font size or colour A characteristic of HTML tags isthat they identify whether the text is a name zip code or e-mail addressXML in contrast can attach identifying tags to any type of text allowingit to be recognized Because anyone can define XML tags XML cannotby itself facilitate exchanges of customer data among companies a stand-ard format must exist for the tags CPEX wants to develop common speci-fications of XML so that companies collecting customer data can quicklytransfer that data to other companies32

There are several possible self-help measures against the installing ofcookies First webbrowsers permit their users to set their lsquopreferencesrsquoto accept or reject cookies to notify the user before accepting a cookieor to accept only cookies that will be returned to the originating websiteA second possibility is to manually delete all cookies installed in thelsquocookie jarrsquo after having finished surfing the World Wide Web33 Thirdthere is also software for examining editing blocking or eradicatingcookies such as Cookie Pal Cookie Master 2 Cookie Crusher Crumbler97 Cookie Cutter etc34 However it is perceived that self-help does notseem to be sufficient and that there should also be a legal framework withrespect to the use of cookies Below we turn to an analysis of the new EUlegal framework for the use of cookies

31 See httpwwwcpexchangeorgaboutmissionasp 32 AJ McClurg supra note 3 at 85ndash86 33 Eg to delete cookies with Microsoft Internet Explorer see httpsupportmicrosoftcomdefaultaspx

scid = kbEN-US278835 34 CF Luce Jr lsquoInternet Privacy Spam and Cookies How to Avoid Indigestion While Binging at the

World Wide Automatrsquo (October 1998) Colorado Lawyer 27 30


80

4 The EU Legal Framework for the Use of Cookies

The new EU legal framework for the use of cookies is laid down inArticle 5(3) of Directive 200258 which provides the following lsquoMemberStates shall ensure that the use of electronic communications networks to storeinformation or to gain access to information stored in the terminal equipment of asubscriber or user is only allowed on condition that the subscriber or user concernedis provided with clear and comprehensive information in accordance with Directive9546EC inter alia about the purposes of the processing and is offered the rightto refuse such processing by the data controller This shall not prevent any technicalstorage or access for the sole purpose of carrying out or facilitating the transmissionof a communication over an electronic communications network or as strictlynecessary in order to provide an information society service explicitly requested bythe subscriber or userrsquo Article 5(3) is further clarified by Recitals 24 and 25of the Directive

This new legal framework was not included in the European Commis-sionrsquos initial proposal35 but has been introduced by the European Parlia-mentrsquos amendments to the proposal36 which were later modified by theCouncil of the EU37 The European Parliamentrsquos intention was to pro-hibit the use of cookies without the Internet usersrsquo prior explicit consentIt proposed the following provision lsquoMember States shall prohibit the use ofelectronic communications networks to store information or to gain access toinformation stored in the terminal equipment of a subscriber or user without theprior explicit consent of the subscriber or user concerned This shall not preventany technical storage or access for the sole purpose of carrying out or facilitating thetransmission of a communication over an electronic communications networkrsquo 38

However as will be explained below the Council later replaced theParliamentrsquos intended prohibition to use cookies unless prior explicitconsent by a permission to use cookies on the condition that informationand a right to refuse the cookie are provided

Before analysing Article 5(3) and its related Recitals it is necessary toexamine the legal frameworkrsquos material and territorial scope

35 Proposal of 25 August 2000 for a Directive of the European Parliament and of the Council concerningthe processing of personal data and the protection of privacy in the electronic communications sectorEU Official Journal 19 December 2000 C 365E223

36 EU Official Journal 13 June 2002 C 140E121 37 Common Position No 262002 of 28 January 2002 adopted by the Council acting in accordance with

the procedure referred to in Article 251 of the Treaty establishing the European Community with a viewto adopting a Directive of the European Parliament and of the Council concerning the processing ofpersonal data and the protection of privacy in the electronic communications sector EU Official Journal14 May 2002 C 11339

38 Amendment 26 supra note 36 at C 140E128


81

41 Assessment of the Scope

411 Interaction between Directives 9546 and 200258 Two Interpretations

The interaction between Directive 9546 and Directive 200258 isimportant for determining the exact scope of Directive 200258 and itsprovision about cookies One is spontaneously inclined to think thatsince Directive 200258 is intended to be a lex specialis vis-agrave-vis Directive9546 the former prevails over the latter in case of a conflict betweenprovisions so that an examination of their interaction seems superfluousHowever the provisions of Directive 200258 that set out its scope arewritten in an enigmatic way so that the interaction between both Direc-tives is rather unclear For instance whereas Article 1 of Directive 200258 provides that the provisions of Directive 200258 lsquoparticularize andcomplementrsquo those of Directive 9546 Directive 200258 seems to retaindifferent criteria as regards its territorial scope laid down in Article 3Although Directive 9546rsquos main criterion for determining its territorialapplication is the location of the controller of the processing of personaldata this location criterion is not taken into account in Article 3 of Directive20025839

The text of Directive 200258 not being clear there are two possibleinterpretations of the interaction between both Directives

The first possible interpretation is based on the purpose of Directive200258 set forth in Article 1(2) and clarified by Recital 10 and theopinion of the Article 29 Data Protection Working Party Article 1(2) pro-vides that lsquo[t]he provisions of this Directive particularize and complement Direc-tive 9546EC for the purposes mentioned in paragraph 1rsquo Recital 10 providesthat lsquo[i]n the electronic communications sector Directive 9546EC applies inparticular to all matters concerning protection of fundamental rights and freedomswhich are not specifically covered by the provisions of this Directive including theobligations on the controller and the rights of individuals Directive 9546ECapplies to non-public communications servicesrsquo In 2000 the Article 29 DataProtection Working Party issued an opinion on the repealed Directive9766 in which it said that lsquo[i]t should [ ] not be forgotten that the specificdirective 9766EC only complements the general directive 9546EC by establish-ing specific legal and technical provisions When revising the specific directive itwill be necessary to take into account respect and be coherent with the provisions ofthe general data protection directive 9546EC that applies to any processing ofpersonal data falling under its scope irrespective of the technical means usedrsquo 40

39 See Working Document No 37 of 21 November 2000 supra note 10 40 Opinion 22000 of 3 February 2000 concerning the general review of the telecommunications legal

framework 2-3 available at httpeuropaeuintcomminternal_marketprivacydocswpdocs2000wp29enpdf


82

These provisions and the Working Partyrsquos opinion imply that both Direc-tives apply cumulatively Directive 9546 being neutral with regard to itsmaterial scope is the lex generalis for the processing of personal data andDirective 200258 the material scope of which is specific for the elec-tronic communications sector is the lex specialis for the processing ofpersonal data in the context of electronic communications and bothDirectives interact according to the principle lex specialis derogat legi generaliThere would however be one exception to this cumulative applicationDirective 9546 applies to natural persons only whereas Article 1(2) ndash asexplained by Recital 1241 ndash of Directive 200258 provides that this Direc-tive also protects lsquothe legitimate interests of subscribers who are legalpersonsrsquo

Consequently under this interpretation except for the provisions withrespect to legal persons the scope of Directive 200258 is determined bythe same criteria as those that determine the scope of Directive 9546

The second possible interpretation is based on the terminology usedin Directive 200258 and the fact that it is not explicitly provided inDirective 200258 that its scope is determined by the same criteria asthat of Directive 9546 For instance Article 3 of Directive 200258does not seem to rely on the same criterion of territorial attachment asthat of Directive 9546 (see infra) In addition some provisions do notseem to exclusively deal with the processing of personal data forinstance Article 5(3) about cookies (see infra) One could thus inferfrom this that Directive 200258 of course deals with the processingof personal data in the framework of network and electronic communi-cations services but that it nevertheless does not have the same scopeof territorial application as Directive 9546 or even that it does notexclusively deal with the processing of personal data as is the case withDirective 954642

Below it will be demonstrated that following the first or the secondinterpretation directly influences the determination of the precise scopeof Directive 200258

412 Material Scope Cookies and Other Little Brothers Article 5(3) of Directive 200258 is vague as regards its material scope Itaims at regulating the use of electronic communications networks tostore information or to gain access to information stored in the terminal

41 Recital 12 provides lsquoSubscribers to a publicly available electronic communications service may be natural orlegal persons By supplementing Directive 9546EC this Directive is aimed at protecting the fundamental right toprivacy as well as the legitimate interests of legal persons This Directive does not entail an obligation for MemberStates to extend the application of Directive 9546EC to the protection of the legitimate interests of legal persons whichis ensured within the framework of the applicable Community and national legislationrsquo

42 J Dhont amp K Rosier lsquoDirective vie priveacutee et communications eacutelectroniques premiers commentairesrsquo(2003) Revue Ubiquiteacute ndash Droit des technologies de lrsquoinformation (Belg) No 15 p 7 p 11ndash12


83

equipment of a subscriber or user but it neither refers to any specifictechnologies nor to any types of information that it covers

As regards the technologies this vagueness undoubtedly correspondsto the intention to remain as technology-neutral as possible One sourceof interpretation is Recital 24 which provides some examples of technol-ogies other than cookies that are covered lsquospyware web bugs hidden identi-fiers or other similar devices [that] can enter the userrsquos terminal equipment withouttheir knowledge in order to gain access to information to store hidden informationor to trace the activities of the userrsquo

The absence of an explanation of the term lsquoinformationrsquo can lead totwo possible interpretations of the types of information that are covereddepending on whether one sticks to the purpose of Directive 200258 ndashwhich is to regulate the processing of personal data ndash or whether onethinks that the terminology used in Article 5(3) is aimed to be more neu-tral and silently departs from the Directiversquos purpose43 If one emphasizesthe purpose of Directive 200258 which is according to Article 1(1) tolsquoensure an equivalent level of protection of fundamental rights and freedoms andin particular the right to privacy with respect to the processing of personal data inthe electronic communication sectorrsquo then the information covered is limitedto lsquopersonal datarsquo within the meaning of Article 2(a) of Directive 954644

Consequently under this interpretation Article 5(3) only applies tocookies that store or gain access to data that is related to a natural personwho is or can be identified If however one stresses the difference in ter-minology between both Directives ie the use of the term lsquopersonal datarsquoin Directive 9546 and the use of the term lsquoinformationrsquo in Directive200258 then Article 5(3) applies to any information stored in theterminal equipment of a subscriber or user whether or not this informa-tion consists of lsquopersonal datarsquo45 It is clear that the scope under this inter-pretation is tremendously broader One can find some support for thissecond interpretation in Recital 24 of Directive 200258 which providesthat lsquo[t]erminal equipment of users of electronic communications networks andany information stored on such computer equipment are part of the private sphereof the users requiring protection under the European Convention for the Protectionof Human Rights and Fundamental Freedomsrsquo This Recital thus clearly saysthat information stored on terminal computer equipment is by definitionpart of the private sphere and seems to imply that Directive 200258applies to such information and not only to information that is lsquopersonal

43 J Dhont amp K Rosier supra note 42 at 31ndash32 44 This Article defines lsquopersonal datarsquo as lsquoany information relating to an identified or identifiable natural per-

son an identifiable person is one who can be identified directly or indirectly in particular by reference to an identifica-tion number or to one or more factors specific to his physical physiological mental economic cultural or socialidentityrsquo

45 See O Hermanns lsquoDie Verwendung von lsquoCookiesrsquo im E-Commerce Das Recht auf informationelleSelbstbestimmung im europaumlischen deutschen und belgischen Rechtrsquo (2002) 55 available at httpwwwfu-berlindejuramapomagisteroliverhermannpdf


84

datarsquo as defined in Directive 9546 This interpretation is followed by theUnited Kingdom (lsquoUKrsquo) Information Commissioner who has explicitlystated that the UK Regulations (that implement Directive 200258) lsquoapplyto all uses of such devices not just those involving the processing of personal datalsquo(emphasis added)46

It has to be pointed out that Article 5(3) does not pay any attention tothe purpose of the intrusion It can be inferred from this that it appliesno matter what the purpose is of the person or company that stores oraccesses information

413 Territorial Scope Worldwide Application One of the most relevant issues in practice is the question of when install-ing a cookie is subject to the rules set forth in Directive 200258 Forinstance does the Directive apply to the situation in which a cookie isinstalled on an individualrsquos hard drive which is located in the EU by anindividual or a company located outside the Union for instance in theUS Since the territorial scope of legal rules in the context of communi-cations networks is usually complex it is surprising that it can be inferredfrom the preparatory documents of Directive 200258 that its territorialscope was never discussed in any significant way during the draftingprocess

The territorial scope of Directive 200258 is laid down in Articles 1(1)and 3(1) Article 1(1) provides that lsquo[t]his Directive harmonises the pro-visions of the Member States required to ensure an equivalent level ofprotection of fundamental rights and freedoms and in particular theright to privacy with respect to the processing of personal data in theelectronic communication sector and to ensure the free movement ofsuch data and of electronic communication equipment and services inthe Communityrsquo (emphasis added) Article 3(1) provides that lsquo[t]hisDirective shall apply to the processing of personal data in connectionwith the provision of publicly available electronic communications serv-ices in public communication networks in the Communityrsquo (emphasisadded) According to these provisions the criterion for determiningwhether the Directive territorially applies seems to be the fact that thepersonal data are processed in the framework of electronic communica-tions services provided in public communications networks in the Com-munity The wording lsquoin the Communityrsquo does not only refer to lsquopubliccommunications networksrsquo but also to lsquoservicesrsquo since a communicationservice is necessarily linked to a communications network47 in addition

46 UK Information Commissioner lsquoGuidance to the Privacy and Electronic Communications (EC Direc-tive) Regulations 2003 ndash Part 2 Security Confidentiality Traffic and Location Data Itemised Billing CLIand Directoriesrsquo (2003) 4 available at httpwwwinformationcommissionergovukeventualaspxid = 96

47 J Dhont amp K Rosier supra note 42 at 22


85

the European legislature confirms in Article 1(1) that it intends to regu-late lsquoelectronic communication services in the Communityrsquo As a resultDirective 200258 would thus apply to a service provider established outsidethe EU offering electronic communication services to individuals situatedin the EU

At first sight this constitutes a different scope from that of Directive9546 for the latter Directiversquos territorial point of attachment set forthin its Article 4(1)48 is the establishment of the controller of the process-ing of personal data on the territory of an EU Member State or in theabsence of such an establishment the use of equipment automated orotherwise situated in an EU Member State It thus seems that the territo-rial scope of Directive 200258 which follows the lsquocountry of destinationrsquoprinciple is much wider than that of Directive 9546 which in principledoes not apply to the processing of personal data conducted by a controllerestablished outside the EU This difference would be contrary to Article 1(2)of Directive 200258 which provides that this Directive lsquoparticularizes andcomplementsrsquo Directive 9546 and can thus not have a wider territorialscope than the latter Directive

However it seems that with regard to cookies relying on the territorialpoint of attachment of Directive 9546 does in fact not lead to a solutiondifferent from that resulting from Directive 9546 The Article 29 DataProtection Working Party has indicated that under its Article 4(1)(c)49

Directive 9546 territorially applies if the controller of the processing (1)uses equipment over which he exercises at least partial control and (2)has the intention to process personal data50 In other words the serviceprovider thus has to have the intention to process personal data by meansof the equipment situated in an EU Member State that is at its disposalAccordingly the simple act of using a publicly available communicationnetwork on the territory of the EU without the said intention does notsuffice to justify the application of Directive 9546 Applying this reason-ing to cookies the Working Party is of the opinion that Directive 9546applies to the installation of cookies on a computer located on the terri-tory of the EU from outside the EU since (1) a userrsquos computer can be

48 Article 4(1) lsquoEach Member State shall apply the national provisions it adopts pursuant to this Directive to theprocessing of personal data where (a) the processing is carried out in the context of the activities of an establishment ofthe controller on the territory of the Member State when the same controller is established on the territory of several Mem-ber States he must take the necessary measures to ensure that each of these establishments complies with the obligationlaid down by the national law applicable (b) the controller is not established on the Member Statersquos territory but in aplace where its national law applies by virtue of international public law (c) the controller is not established on Com-munity territory and for purposes of processing personal data makes use of equipment automated or otherwise situ-ated on the territory of the said Member State unless such equipment is used only for purposes of transit through theterritory of the Communityrsquo

49 See supra note 48 50 Working Document No 56 of 30 May 2002 on determining the international application of EU data

protection law to personal data processing on the Internet by non-EU based web sites 10 available athttpeuropaeuintcomminternal_marketprivacydocswpdocs2002wp56_enpdf


86

viewed as lsquoequipmentrsquo within the meaning of Article 4(1)(c) of Directive9546 (2) the installer of the cookie lsquomakes usersquo of that equipment wheninstalling a cookie and (3) lsquothe controller decided to use this equipmentfor the purposes of processing personal data and [ ] several technicaloperations take place without the control of the data subject The con-troller disposes over the userrsquos equipment and this equipment is not usedonly for purposes of transit through Community territoryrsquo The WorkingParty has consequently stated that the national law of the Member Statewhere the userrsquos computer is located applies to the question under whatconditions his personal data may be collected by placing cookies on hishard drive51

Since the EU Member Statesrsquo legislation implementing Directive 9546and Directive 200258 thus applies to persons and legal entities outsidethe Union (for instance those located in the US) installing cookies on acomputer located on an EU Member Statersquos territory the European legalframework for the use of cookies has a tremendous extra-territorialapplication

42 Assessment of the Legal Rules The new legal framework for the use of cookies laid down in Article 5(3)of Directive 200258 consists of two parts (1) two substantive obliga-tions and (2) two exceptions to these obligations It must be pointed outhowever that one must also comply with the rights and obligations setforth in Directive 9546

421 Two Substantive Obligations Article 5(3) allows the use of electronic communications networks tostore information or to gain access to information stored in the terminalequipment of a subscriber or user on the condition that the subscriber orthe user (1) is provided with clear and comprehensive information inaccordance with Directive 9546 inter alia about the purposes of the pro-cessing and (2) is offered the right to refuse such processing by the datacontroller In other words installing a cookie is subject to (a) an obligationto provide information and (b) an obligation to offer a right to refuse

Obligation to Provide Information The first condition set forth in Article 5(3) is that the user or subscriber isprovided with clear and comprehensive information in accordance withDirective 9546 inter alia about the purposes of the processing

The fact that Article 5(3) provides that information has to be providedlsquoin accordance with Directive 9546rsquo implies that the person placing thecookie must comply with the obligation to inform laid down in Article 10

51 Id at 11


87

of Directive 9546 This information includes (1) the identity of the con-troller of the processing and of its representative if any (2) the purposesof the processing for which the personal data are intended and (3) anyfurther information such as (a) the recipients or categories of recipientsof the personal data (b) whether replies to the questions are obligatoryor voluntary as well as the possible consequences of failure to reply and(c) the existence of the right of access to and the right to rectify the per-sonal data In all probability the information about whether replies tothe questions are obligatory or voluntary and about the consequences offailure to reply can be transposed to the cookie context into informationabout whether allowing a cookie to be placed is required or not to visitthe website or make use of its service and about the consequences of notallowing a cookie to be placed In this respect Recital 25 of Directive200258 provides that lsquo[a]ccess to specific website content may still be made con-ditional on the well-informed acceptance of a cookie or similar device if it is usedfor a legitimate purposersquo In other words a legitimate consequence of notallowing a cookie may be that the individual cannot visit the website ormake use of certain services

It thus seems that Directive 200258 does not entail a new obligation toinform that is different from that set forth in Directive 954652 Conse-quently the question arises as to what the added value is of repeating theobligation to inform the obligation to inform under Directive 9546applies anyway since Recital 10 of Directive 200258 provides that lsquo[i]nthe electronic communications sector Directive 9546EC applies in particular toall matters concerning protection of fundamental rights and freedoms which arenot specifically covered by the provisions of this Directive including the obligationson the controller and the rights of individualsrsquo (emphasis added)

A possible interpretation is that repeating the obligation to inform inDirective 200258 aims to ndash in the context of cookies ndash no longer distin-guish between data of natural persons and data of legal persons It couldbe argued that since Article 1(2) of Directive 200258 provides that itsprovisions lsquoprovide for protection of the legitimate interests of subscrib-ers who are legal personsrsquo the purpose of repeating the obligation toinform is that also subscribers who are legal persons have to be informedand this in contrast with Directive 9546 under which only natural per-sons have to be informed (since this Directive does not apply to data oflegal persons) However this interpretation would run counter to Recital12 of Directive 200258 which provides that lsquo[t]his Directive does not entailan obligation for Member States to extend the application of Directive 9546 to theprotection of the legitimate interests of legal personsrsquo It is unclear whether thisthen implies that there is no obligation to inform if the subscriber is alegal person

52 O Hermanns supra note 45 at 55 58


88

Another ndash and the most plausible ndash interpretation is that repeating theobligation to inform in Directive 200258 aims to ndash in the context ofcookies ndash no longer distinguish between lsquopersonal datarsquo (as defined inArticle 2(a) of Directive 9546) and lsquonon-personal datarsquo It could beargued that a person installing a cookie still has to provide informationeven if that cookie processes data that do not identify a natural person orallow such person to be identified This interpretation is in accordancewith our assessment of the material scope of Article 5(3)

A consequence of explicitly referring to the obligation to inform aboutthe purposes of the processing in accordance with Directive 9546 is thatArticle 5(3) imposes another obligation ie the obligation to complywith the requirement that the purposes of the processing be legitimate asset forth in Articles 6 and 7 of Directive 9546 This requirement is con-firmed in Recital 24 of Directive 200258 which provides that lsquo[t]he use ofsuch devices should be allowed only for legitimate purposes with the knowledge ofthe users concernedrsquo In this context Recital 25 of Directive 200258 pro-vides that lsquosuch devices for instance so-called lsquocookiesrsquo can be a legitimate anduseful tool for example in analysing the effectiveness of website design and advert-ising and in verifying the identity of users engaged in on-line transactionsrsquo It hasto be pointed out that this again raises the question of whether or not thisrequirement applies with regard to data about legal persons

Obligation to Offer a Right to Refuse The second condition set forth in Article 5(3) of Directive 200258 is theoffering of a lsquoright to refusersquo the cookies This terminology seems ratherinappropriate since the notion of refusal comes close to the notion ofconsent which implies that the user would have only one single oppor-tunity to deal with the cookie If he does not refuse it the first time thenhe can no longer withdraw his consent for ndash according to Recital 25 (seeinfra) ndash the right to refuse can be offered once and cover any future useof the cookie during subsequent connections which would thus deprivethe user of any remedy during subsequent connections It wouldundoubtedly have been better to use the term lsquoright to objectrsquo which isused in Directive 9546 with regard to the processing of personal data fordirect marketing purposes53 The right to object can be exercised at anytime also during subsequent connections In this respect it has to bepointed out that as mentioned above technical solutions make it pos-sible to suppress cookies at any time The use of the right to object wouldhave overcome the problem of multiple users of one terminal equipmenta problem which is explicitly addressed in Recital 25 lsquoUsers should have theopportunity to refuse to have a cookies or similar device stored on their terminalequipment This is particularly important where users other than the original user

53 Article 14 of Directive 9546


89

have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipmentrsquo54

An odd circular problem of the rule that the offering of a right torefuse can cover subsequent connections is that if the user or subscriberrefuses the cookie it is not clear how the service provider will be able tolsquorememberrsquo this since the provider is not allowed to install a cookie thatcontains the information that the user exercised his right to refuseMaybe this may qualify as an example of the first exception to the obliga-tion to provide information and a right to refuse (see infra)

Although the user or subscriber has a right to refuse cookies he never-theless has to bear the consequences of his refusal for further visiting thewebsite or using a service for ndash as already mentioned above in the con-text of the obligation to inform ndash Recital 25 of Directive 200258 providesthat lsquo[a]ccess to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device if it is used for a legitimate purposersquoThis seems to imply that a service provider can refuse to give access to aservice although the cookie installed on the computer is not necessary forthe supply of the service The existence of a legitimate purpose that justi-fies the use of a cookie suffices to permit the service provider to make theservice conditional on the acceptance of the cookie

Who Has to Comply With the Obligations Article 5(1) of Directive 200258 does not specify who has to comply withthe obligations to provide information and to offer the right to refusewhich seems to imply that it is the person or company that uses the cookieconcerned It is worth noting that Recital 25 of the Common Position No262002 on Directive 200258 provided that these obligations had to becomplied with by lsquothe operator of a website sending such devices or allowing thirdparties to send them via his websitersquo55 It is not clear why the latter wordinghas been deleted in the final version of the Directive since it is an appro-priate point of view The UK Information Commissionerrsquos point of viewon this issue seems to be based on the Common Positionrsquos wording lsquoTheRegulations [ie the UK legislation implementing Directive 200258] donot define who should be responsible for providing the information outlined in Regu-lation 6(2) Where a person operates an online service and any use of a cookie typedevice will be for their purposes only it is clear that that person will be respon-sible for providing the information in question We recognize that it is possible fororganisations to use cookie type devices on websites seemingly within the control ofanother organisation for example through a third party advertisement on a web-site In such cases the organization to whom the site primarily refers will be obligedto alert users to the fact that a third party advertiser operates cookies It will not be

54 J Dhont amp K Rosier supra note 42 at 34 55 See supra note 37


90

sufficient for that organization to provide a statement to the effect that they cannotbe held responsible for any use of such devices employed by other persons they allowto place content on their websites In addition the third party would also have aresponsibility to provide the user with the relevant informationrsquo 56

When and How Must the Obligations be Complied With Recital 25 of Directive 200258 provides more guidelines as regards whenand how the obligations to provide information and to offer a right torefuse must be complied with lsquoInformation and the right to refuse may beoffered once for the use of various devices to be installed on the userrsquos terminalequipment during the same connection and also covering any further use that maybe made of those devices during subsequent connections The methods for givinginformation offering a right to refuse or requesting consent should be made as user-friendly as possiblersquo

As regards the moment to comply with the obligations this provisionseems to require a website to provide information and offer the right torefuse at the moment that the connection is made

It is however not clear how the obligations have to be complied withThe text of Article 5(3) of Directive 200258 provides that the subscriberor user has to be lsquoprovided withrsquo the information and must be lsquoofferedrsquo aright to refuse Similarly Recital 25 merely provides that users lsquoshouldhave the opportunity to refusersquo (emphasis added) It is not clear whether ornot this means that the information and the right to refuse expressly haveto be brought to the individualrsquos attention by means of an activelydirected communication for instance in the form of a pop-up windowRecital 25 does not explicitly prescribe that a pop-up window be used butspecifies that lsquo[t]he methods for giving information offering a right to refuse orrequesting consent should be made as user-friendly as possiblersquo This terminologyseems to imply that there has to be a specific communication addressedto the user or subscriber and that it does not suffice for the person whohas to comply with the obligations to have recourse to a simple technicallsquopossibilityrsquo for the subscriber or user to access the information and exer-cise the right to refuse the cookies This interpretation finds support inRecital 25 which provides that the information and the right to refusemay be offered once covering any further use that may be made of cookiesduring subsequent connections if the information only has to be accessibleto the user then this concession would be of no practical interest57

The UK Information Commissioner seems to share this opinion by say-ing that lsquo[t]he requirement that the user or subscriber should be lsquogiven the opportu-nity to refusersquo the use of the cookie type device may be subject to differinginterpretation At the very least however the user or subscriber should be given a

56 UK Information Commissioner supra note 46 at 5ndash6 57 J Dhont amp K Rosier supra note 42 at 33ndash34


91

clear choice as to whether or not they wish to allow a service provider to engage inthe continued storage of information on the terminal in question (originalemphasis) The fact that an lsquoopportunity to refusersquo such storage or access mustbe provided imposes a greater obligation on the relevant party than that theyshould simply make such a refusal a possibilityrsquo (emphasis added)58 In trans-lating this into practice however the Commissioner takes a rather prag-matic view lsquoThe mechanism by which a subscriber or user may exercise their rightto refuse continued storage should therefore be prominent intelligible and readilyavailable to all not just the most literate or technically aware Where the relevantinformation is to be included in a privacy policy for example the policy should beclearly signposted at least on those pages where a user may enter a website The rele-vant information should appear in the policy in a way that is suitably prominentand accessible and it should be worded so that all users and subscribers are capableof understanding and acting upon it without difficulty [ ] Although a stand-ard approach would be beneficial whether service providers choose to make theirown switch off facilities available or else explain to the user or subscriber how theycan use the facilities specific to their browser type is less important than that themechanism is uncomplicated easy to understand and accessible to all There is inaddition nothing to prevent service providers from requiring users to lsquoopt inrsquo toreceipt of the cookie as opposed to providing them with the opportunity to lsquooptoutrsquorsquo 59 The Information Commissioner thus seems to be of the opinionthat it might suffice to provide the information and offer the right torefuse in a privacy policy visibly posted on the website

As regards the obligation to offer a right to refuse this opinion wouldthen boil down to explaining in the privacy policy how the webbrowsercan be used to refuse cookies However as regards the right to refuse theCommissionerrsquos statements seems to be inherently contradictory since itis not clear what the difference is between simply making a refusal a pos-sibility (which the Commissioner says is insufficient) and merely explain-ing in a privacy policy how a webbrowser can be used to refuse cookies(which the Commissioner says is sufficient) In any event it would be log-ical that unless an exception applies (see infra) a cookie may not beinstalled at the moment itself that an individual visits a website since hethen would not have had the opportunity to refuse the cookie

As regards the obligation to inform it is worth mentioning in this respectthat in the Common Position version of Directive 200258 Article 5(3)provided that the user had to lsquoreceive in advancersquo the information andRecital 25 provided that lsquoclear and precise prior informationrsquo had to be pro-vided (emphasis added) The fact that in the Directiversquos final version thewording lsquoin advancersquo in Article 5(3) and lsquopriorrsquo in Recital 25 has beendeleted and that the term lsquoreceiversquo in Article 5(3) has been replaced by

58 UK Information Commissioner supra note 46 at 5 59 UK Information Commissioner supra note 46 at 5ndash6


92

lsquoprovide withrsquo may be an argument for contending that providinginformation in a privacy policy (which is as opposed to a pop-up windowa lsquopassiversquo way of communicating) is sufficient However this argument isnot valid for offering the right to refuse

422 Two Exceptions The second sentence of Article 5(3) of Directive 200258 contains a ndashrather enigmatic ndash exception to this general regime lsquoThis shall not pre-vent any technical storage or access for the sole purpose of carrying outor facilitating the transmission of a communication over an electroniccommunications network or as strictly necessary in order to provide aninformation society service explicitly requested by the subscriber or userrsquo

The use of the wording lsquothis shall not preventrsquo does not make it easy toassess the exact scope of this exception Does it aim to waive the obliga-tion to provide information andor to offer a right to refuse Or does itallow the person or company that has to comply with the obligations toinform and offer the right to refuse to ignore the userrsquos refusal TheRecitals do not provide any guidelines for answering this question It maybe useful to examine whether the national laws implementing Directive200258 shed light on this matter In the UK for instance Article 6(1) ofthe implementing Regulations provides that lsquo[s]ubject to paragraph (4)a person shall not use an electronic communications network to store informationor to gain access to information stored in the terminal equipment of a subscriber oruser unless the requirements of paragraph (2) are metrsquo Paragraph 2 containsthe obligations to inform and offer the opportunity to refuse Paragraph4 then provides that lsquo[p]aragraph (1) shall not apply to the technical storage ofor access to information for [ ] the above-mentioned exceptionsrsquo (emphasisadded) The wording lsquoshall not applyrsquo seems to imply that in such casesthe service provider does not have the obligation to provide informationand offer a right to refuse

The Directiversquos exception regime applies only in the event of a lsquotech-nical storage or accessrsquo for one or two possible purposes It is not clearwhat such lsquotechnical storage or accessrsquo exactly means A plausible inter-pretation may be that the required lsquotechnicalrsquo nature of the storage oraccess implies that there may not be any processing of personal data forthe exception regime to apply

A first situation in which a technical storage or access qualifies as anexception is if it is lsquofor the sole purpose of carrying out or facilitating the trans-mission of a communication over an electronic communications networkrsquo It is notreally clear what this exception exactly means but it seems to intend toallow the use of mere session cookies60 This interpretation is based onthe Recital that the European Parliament proposed when it amended the

60 In the same sense O Hermanns supra note 45 at 55 58


93

European Commissionrsquos initial proposal with a provision about cookiesThis proposed Recital referred to session cookies in general terms lsquoTheprohibition of storage of communications [ ] by persons other than the userswithout the usersrsquo consent is not intended to prohibit any automatic intermediateand transient storage of this information in so far as this takes place for the solepurpose of carrying out the transmission in the electronic communications networkand provided that the information is not stored for any period longer than is neces-sary for the transmission [ ]rsquo (emphasis added)61 Although the EuropeanParliamentrsquos proposal for a prohibition of cookies was replaced by a per-mission to install cookies in combination with an obligation to provideinformation and to offer a right to refuse this first exception (althoughslightly reworded) was maintained in the Directiversquos final version so thatthe Parliamentrsquos proposal is a solid basis for interpretation

In any event it is clear that the purpose of carrying out or facilitatingthe transmission of a communication has to be the sole purpose if there isanother concurrent purpose then the exception does not apply

A second situation in which a technical storage or access qualifies as anexception is if it is lsquoas strictly necessary in order to provide an information societyservice explicitly requested by the subscriber or userrsquo The term lsquoinformation soci-ety servicesrsquo is not defined in Directive 200258 but in Article 1(a) ofDirective 9834EC of 22 June 1998 laying down a procedure for the pro-vision of information in the field of technical standards and regulations62

as explicitly referred to by Article 2(a) of the EU E-Commerce Directive63

It means lsquoany service normally provided for remuneration at a distance by elec-tronic means and at the individual request of a recipient of servicesrsquo64 Directive9834 does not explicitly explain what lsquonormally provided for remunera-tionrsquo exactly means but it is generally accepted that this means that theservice has to be an economic activity According to the case law of theEuropean Court of Justice an economic activity does not necessarilyrequire that the beneficiary of the service pays for the service the factthat a third party pays the provider of the service is sufficient (for instancea service provider which offers certain online services for free which is

61 Amendment 9 supra note 36 at C 140E124 62 EU Official Journal 21 July 1998 L 20437 as amended by Directive 9848EC EU Official Journal

5 August 1998 L 21718 63 Directive 200031EC of the European Parliament and of the Council of 8 June 2000 on certain

legal aspects of information society services in particular electronic commerce in the Internal MarketEU Official Journal 17 July 2000 L 1781

64 In this respect lsquoat a distancersquo means that lsquothe service is provided without the parties being simultaneouslypresentrsquo lsquoby electronic meansrsquo means that lsquothe service is sent initially and received at its destination by means ofelectronic equipment for the processing (including digital compression) and storage of data and entirely transmittedconveyed and received by wire by radio by optical means or by other electromagnetic meansrsquo and lsquoat the individualrequest of a recipient of servicesrsquo means that lsquothe service is provided through the transmission of data on individualrequestrsquo This concept has already been the object of many studies so that it will not be further examinedin this article


94

made possible by revenue coming from advertisement fees paid by thirdparties)

Does this second exception imply that if an individual has requestedan information society service that involves collecting information regard-ing usage it follows that he does not have to be informed and does nothave a right to refuse the cookies concerned It is hard to answer thisquestion in abstracto it will depend on whether the use of the cookie cor-responds to a lsquotechnical storage or accessrsquo (as mentioned above it is notclear what this exactly means) and whether the cookie is lsquostrictly neces-saryrsquo The Directive does not give any information about how the wordinglsquoas strictly necessaryrsquo should be interpreted Something to hold on to canbe found in the UK Information Commissionerrsquos Guidelines which pro-vide that lsquo[t]he term lsquostrictly necessaryrsquo means that such storage of or access toinformation should be essential as opposed to reasonably necessary for this exemp-tion to apply It will also however be restricted to what is essential for the provisionof the service requested by the user rather than what might be essential for any otheruses the service provider might wish to make of that data It will also include whatis required for compliance with any other legislation to which the service providermight be subject for example the security requirements of the seventh data protec-tion principle65 [ ] Where the use of a cookie type device is deemed lsquoimportantrsquo asopposed to lsquostrictly necessaryrsquo the user of the device is still obliged to provideinformation about the device to the potential service recipient so that they can decidewhether or not they wish to proceed The information provided to the user about theuses the collector intends to make of that data should be of sufficient clarity toenable the user to make a truly informed decisionrsquo 66

423 Other Obligations under Directive 9546 Remain Applicable Since Recital 10 of Directive 200258 provides that Directive 9546applies to all matters which are not specifically covered by the provisionsof Directive 200258 including the obligations on the controller and therights of individuals persons and companies that place cookies have tocomply with all provisions of Directive 9546 such as the obligation tonotify the national supervisory authority (provided in its Article 18) or thedata subjectrsquos right of access to the personal data (provided in its Article 12)but only on the condition that the application criteria of Directive 9546are met Amongst other things this means that other obligations underDirective 9546 apply only in the event that via the cookie lsquopersonaldatarsquo as defined in its Article 2(a) are processed these obligations donot apply if data related to legal persons or lsquonon-personal datarsquo related to

65 This principle is lsquoAppropriate technical and organisational measures shall be taken against unauthorisedor unlawful processing of personal data and against accidental loss or destruction of or damage to personal datarsquo(UK Information Commissioner lsquoData Protection Act 1998 ndash Legal Guidancersquo 40 available at httpwwwinformationcommissionergovukeventualaspxid = 96)

66 UK Information Commissioner supra note 46 at 6ndash7


95

natural persons (for instance data that do not identify or allow to identifya natural person)67 are processed

The UK Information Commissioner is of the same opinion saying thatlsquo[w]here the use of a cookie type device does involve the processing ofpersonal data service providers will be required to ensure that they com-ply with the additional requirements of the Data Protection Act 1988[which implemented Directive 9546] This includes the requirements ofthe third data protection principle which states that data controllers shallnot process personal data that is excessive [ ] Where personal data iscollected the data controller should consider the extent to which thatdata can be effectively processed anonymously This is likely to be of par-ticular relevance where the data is to be processed for a purpose otherthan the provision of the service directly requested by the user forexample the counting of visitors to a websitersquo68

A provision of Directive 9546 that does not apply is Article 7 ThisArticle which enumerates the few situations in which personal data maybe processed69 is overridden by Article 5(3) of Directive 200246 One isallowed to process personal data via cookies in any situation also situa-tions that are not enumerated in Article 7 provided that the obligationsto provide information and offer a right to refuse are complied with

One of the far-reaching consequences of the extra-territorial applica-tion of Directives 9546 and 200258 to service providers established out-side the EU placing cookies on hard drives of computers situated in theEU is that these service providers when processing personal data viasuch cookies have to comply with Article 18 of Directive 9546 whichprovides that they have to notify the supervisory authority of the EUMember States before placing any such cookie An important issue in thisrespect is that Member States are allowed to provide certain exemptionsfrom notification which implies that a service provider placing suchcookies may have to be obliged to notify the supervisory authority of oneMember State while it may be exempted from notification in anotherMember State

Such lsquoforeignrsquo service providers also have to comply with Article 25 ofDirective 9546 which provides that the transfer of personal data from

67 In this context the question arises as to whether or not an Internet Protocol address is a lsquopersonaldatarsquo This issue is not further discussed in this article

68 UK Information Commissioner supra note 46 at 4 69 Article 7 lsquoMember States shall provide that personal data may be processed only if (a) the data subject has

unambiguously given his consent or (b) processing is necessary for the performance of a contract to which the data sub-ject is party or in order to take steps at the request of the data subject prior to entering into a contract or (c) processingis necessary for compliance with a legal obligation to which the controller is subject or (d) processing is necessary inorder to protect the vital interests of the data subject or (e) processing is necessary for the performance of a task carriedour in the public interest or in the exercise of official authority vested in the controller or in a third party to whom thedata are disclosed or (f) processing is necessary for the purposes of the legitimate interests by the controller or by the thirdparty or parties to whom the data are disclosed except where such interests are overridden by the interests for fundamen-tal rights and freedoms of the data subject which require protection under Article 1(1)rsquo


96

an EU Member State to a country outside the EU is allowed only if thatcountry has an adequate level of protection of personal data Article 25applies since personal data are collected on the territory of an EU MemberState ie on the hard drives of computers located on that territory andare subsequently electronically transferred outside the EU

If a country has an adequate level of protection then such transfer isallowed As regards a service provider established in the US this meansthat it is allowed to perform such transfers via cookies if it has adhered tothe US Safe Harbor Principles70

According to Article 26 of Directive 9546 other relevant grounds onwhich such transfers are allowed ndash even if the country to which the per-sonal data are transferred does not have an adequate level of protection ndashare (1) the fact that the data subject has given his unambiguous consent tothe transfer (2) the transfer is necessary for the performance of a contractbetween the data subject and the controller or the implementation ofprecontractual measures taken in response to the data subjectrsquos request(for instance in the context of electronic commerce) and (3) the transferis necessary for the conclusion or performance of a contract concluded inthe interest of the data subject between the controller and a third party

If however the service provider is established in a country that has noadequate level of protection (for instance an American company that hasnot adhered to the US Safe Harbor Principles) or cannot rely on one ofthe situations set forth in Article 26 then it is not allowed to transferpersonal data via cookies outside the EU This is again an example of thefar-reaching consequences of the extra-territorial application of Directive200258

5 Conclusion Directive 200258 is probably the first statutory legal framework in theworld that specifically deals with the use of cookies In principle it shouldbe widely applauded because it explicitly recognizes that the use of cookiesgives rise to privacy and data protection problems and it constitutes anattempt to protect the fundamental right of privacy while at the sametime recognizing that cookies can be used for legitimate purposes andthus preserving legitimate interests of businesses It is to be hoped thatthe Directive may therefore be an incentive for other countries to paymore attention to the use of cookies from a privacy point of view

However it has been made clear above that Directive 200258 in gen-eral and its provisions about cookies in particular are not masterpieces oflogic and clear legislative art With regard to the Directive itself one of

70 More information about the US Safe Harbor Principles can be found on httpwwwexportgovsafeharbor


97

the most far-reaching gaps is the lack of a clear description of the exactinteraction between Directive 200258 and its mother Directive 9546There are two valid interpretations on this point the first one is based onthe purpose of Directive 200258 ie to lsquoparticularize and complementrsquoDirective 9546 and provides that the scope of Directive 200258 isdetermined by the same criteria as those that determine the scope ofDirective 9546 the second one is based on the different terminology inboth Directives and the fact that it is not explicitly stated in Directive200258 that its scope is determined by the same criteria as those thatdetermine the scope of Directive 9546 and provides that Directive200258 can have a different scope

This general hiatus directly influences the scope of the provisions thatspecifically deal with the use of cookies For instance as regards the mate-rial scope it is not completely clear whether or not these provisions applyto information processed via cookies that cannot be qualified as lsquopersonaldatarsquo within the meaning of Directive 9546 for example informationrelated to legal persons On the other hand it has been explained that asregards the use of cookies both Directives have the same tremendouslyextra-territorial scope they not only bind service providers established onthe territory of an EU Member State but also those established outsidethe EU for instance in the US

There are also other lsquobugsrsquo in the cookie-related provisions which mayresult from the fact that the Directiversquos first draft versions did not containany rules on the use of cookies and that the final cookie-related provi-sions have been inserted in a hurry without thorough analysis Forinstance the introduction of the new concept of the right to lsquorefusersquoraises several questions for example as regards its relationship with theright to lsquoobjectrsquo which is used in Directive 9546 Another gap is the factthat there is no concrete guidance as to how the obligations to provideinformation and offer a right to refuse must be complied with It is also notentirely clear what types of cookie uses are covered by the two exceptions

In conclusion the question can be raised whether the new EU legalframework that regulates the Cookie Monster is not a monster itself


71

the individualrsquos interests but it is problematic in light of the fundamentalright to privacy

In the United States (lsquoUSrsquo) there have already been some lawsuitsagainst companies and organizations that used cookies to gather informa-tion about Internet users The most notorious example of such a caseinvolved the Delaware-based advertising company DoubleClick Inc2 Thiscompanyrsquos marketing niche is its promise to advertisers to place their adsin front of persons most likely to respond to them To this end DoubleClickcollects and analyses an extensive amount of information about Internetusers It accomplishes this by invisibly placing a cookie on the hard driveof individuals who visit one of the 11000 lsquoDoubleClick-affiliatedrsquo web-sites which enables DoubleClick to track those individualsrsquo clickstreamdata The collected information is then compiled into detailed profiles ofInternet users DoubleClick currently has a stockpile of more than 100million such profiles3

In June 1999 DoubleClick caused a public outcry when it purchasedAbacus Direct Corp for more than one billion dollars Abacus was a direct-marketing services company that maintained a vast database of namesaddresses telephone numbers retail purchasing habits and other per-sonal information on approximately ninety percent of American house-holds which it sold to direct marketing companies Through thepurchase DoubleClick intended to combine its massive database oflargely anonymous online profiles with Abacusrsquo personally identifiable offline data so that DoubleClick would be able to create a super databasecapable of matching individualsrsquo online activities with their names andaddresses In March 2000 after a Federal Trade Commission investiga-tion into whether DoubleClickrsquos consumer data policies constitutedunfair or deceptive trade practices several state and federal consumerclass actions raising a variety of statutory and common law tort claims andan investigation by some States DoubleClickrsquos CEO announced that hehad made a lsquomistakersquo by planning to merge both companies databasesand stated that DoubleClick would not undertake such merger until itreached an agreement with the US government and Internet industryregarding privacy standards It agreed to postpone linking personally

2 In re DoubleClick Inc Privacy Litigation 154 FSupp2d 497 (SDNY 2001) Other US cookie cases areIn re Intuit Privacy Litigation 138 FSupp2d 1272 (CDCal 2001) Chance v Avenue A Inc 165 FSupp2d1153 (WDWash 2001) In re Pharmatrak Inc Privacy Litigation 220 FSupp2d 4 (DMass 2002) For a dis-cussion of US cookie cases and remedies available under US law see eg LJ Albrecht lsquoOnline MarketingThe Use of Cookies and Remedies for Internet Usersrsquo (2003) 36 Suffolk University Law Review 421 MRSiebecker lsquoCookies and the Common Law Are Internet Advertisers Trespassing On Our Computersrsquo(2003) 76 Southern California Law Review 893 900 and following JJ Thill lsquoThe Cookie Monster FromSesame Street to Your Hard Driversquo (2001) 52 South Carolina Law Review 921

3 AJ McClurg lsquoA Thousand Words Are Worth a Picture A Privacy Tort Response to Consumer DataProfilingrsquo (2003) 98 Northwestern University Law Review 63 82


72








5 November 1990 C 27712)


73











74











75











76










77









78







79







80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






72








5 November 1990 C 27712)


73











74











75











76










77









78







79







80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






73











74











75











76










77









78







79







80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






74











75











76










77









78







79







80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






75











76










77









78







79







80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






76










77









78







79







80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






77









78







79







80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






78







79







80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






79







80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






80











81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






81









82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






82









83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






83









84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






84








85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






85









86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






86







51 Id at 11


87






88






89







90








91






92








93











94







95










96









97






87






88






89







90








91






92








93











94







95










96









97






88






89







90








91






92








93











94







95










96









97






89







90








91






92








93











94







95










96









97






90








91






92








93











94







95










96









97






91






92








93











94







95










96









97






92








93











94







95










96









97






93











94







95










96









97






94







95










96









97






95










96









97






96









97






97





the eu e-privacy directive: a monstrous attempt to …...directive 2002/58 had to be implemented in...

Documents